Thailand: Health and Pharma Overview
1. Governing Texts
Principles under health and pharmaceuticals regulations and general privacy and data protection law intersect, which has led to general guidelines on obligations for sanatoriums and medical practitioners in handling patient personal data. These laws and regulations address patient data protection rights (which are fundamental rights of a data subject relating to data collection, data retention period, data transfer, data disclosure, etc.).
The key legislation on health and pharmaceuticals that relates to general privacy and data protection law in Thailand, which is governed under the Personal Data Protection Act 2019 ('PDPA'), are as follows:
- National Health Act B.E. 2550 (2007);
- National Health Security Act B.E. 2545 (2002);
- The Medical Profession Act B.E. 2525 (1982);
- Sanatoriums Act B.E. 2541 (1998) ('the Sanatoriums Act'); and
- The Medical Council Regulations on Medical Ethics Preservation B.E. 2549 (2006) ('the Medical Council Regulations').
For this overview, the above are collectively referred to as the relevant legislation.
1.2. Supervisory authorities
The Ministry of Public Health and the Personal Data Protection Committee ('PDPC'), are the responsible supervisory authorities, with the Ministry of Digital Economy and Society (formerly known as the Ministry of Information and Communication Technology) previously being responsible.
The relevant legislation does not provide specific definitions. The PDPA, however, does provide specific definitions relating to personal data and privacy, which are listed below.
Personal data: Any data of a living person that could be used to, directly or indirectly, identify that person (e.g. an identification number, email address, a bank account number, etc.).
Data controller: A natural or legal person who has power and duties to make decisions regarding the collection, use, or disclosure of the personal data.
Data processor: A natural or legal person who processes personal data under the instruction or on behalf of the data controller.
Sensitive data: Under the PDPA, 'sensitive data' can be implied to mean any data related to race, ethnic origin, political view, doctrinal, religious or philosophical beliefs, sexual behaviour, criminal record, health record, and biometric information.
Clinical research and trials (i.e. research studies and experiments on humans) are subject to medical ethics standards under:
- the Medical Council Regulations; and
- the Declaration of Patient's Right published by the Ministry of Public Health, and other relevant health authorities (e.g. Nursing and Midwifery Council Medical Technology Council, etc.) ('the Patient Declaration').
Such research shall only be undertaken upon the approval of a responsible research ethics committee, either within or outside the organisation, that will undertake the research. Essentially, the consent of human subjects must be obtained prior to commencing the research. Researchers (i.e. medical practitioners) must be responsible for any risk or damage arising from such research.
The Medical Council Regulations do not specify the information that must be notified to participants for obtaining their consent to participate in research, nor do they set out periodic reporting requirements. However, according to the guidelines of ethics committees from any relevant organisation (which are consistent with the World Medical Association Declaration of Helsinki on Ethical Principles for Medical Research Involving Human Subjects), and the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use ('ICH') Good Clinical Practice Guideline of the Food and Drug Administration ('FDA') of the Ministry of Public Health (only available in Thai here), researchers must provide all information related to the research, such as:
- the risks and benefits of participating in the research;
- the right to confidentiality of the participants;
- the obligations of the researcher to participants (e.g. insurance, compensation, etc.);
- remuneration (if any); and
- the contact information of researchers with clear and plain language for participants to make a decision to participate in, or withdraw from, such research being carried out by researchers.
Researchers must ensure that participants have duly understood the relevant information and appreciated the situation and consequences of the research.
Referring to the Patient Declaration mentioned above, each participant has a lawful right to request information regarding his/her role in the medical research prior to participating in or withdrawing from such research. In addition, the purpose of collecting and processing personal data required for medical research, including any relevant information, must be notified to participants for their consent as mentioned in the section on Clinical Research and Clinical Trials above.
With regard to data retention, such data is required to be kept confidential, in accordance with medical ethics standards under the Medical Council Regulations and Patient Declaration.
In addition, under the PDPA, any natural or legal person, including a medical practitioner who acts in a capacity to collect and make decisions on the processing of data subject personal data (i.e. purposely for medical or clinical research) is considered a data controller. The data controller, in this regard, has an obligation to inform such data subjects of the purposes of collecting their personal data, provide them with information relating to the processing of their personal data (e.g. the retention period, rights of a data subject, contact information, possible consequences of not providing their personal data, recipients the personal data will be disclosed to, etc.) prior to or during data collection, and obtain the explicit consent of data subjects, either in writing or via electronic form, to collect their personal data. Additional information on the requirement of consent will be further discussed in section 2.1.1. below.
Any change to the purpose of personal data processing that is different from what a data subject originally consented must be further informed to the data subject to obtain their consent again. Records of personal data processing activities must be retained for reasons of transparency.
Also, with regard to retention restrictions, a data controller is required to provide security measures (with minimum standards as prescribed by the PDPC which will be published in the future) to prevent the loss, access, use, change, revision, or disclosure of personal data without authorisation. Such security measures for processing operations shall be assessed when deemed necessary or there is a change in the technology of security measures.
Please refer to the section on Data Management below for further details on the retention of patients' personal data.
Under the Medical Council Regulations and Patient Declaration, researchers are required to obtain the consent of participants. However, neither of the two specifies how consent is to be obtained. Nevertheless, researchers must provide all information related to the research, such as risks and benefits of participating in the research, the right to confidentiality of the participants, and researcher obligations towards participants.
With regard to the consent of minors (i.e. those under the age of 18) and incompetent persons, their parents or legal guardians shall have the lawful right to exercise their rights, including providing consent to participate in the research as well as requesting relevant information.
As a researcher is considered to be a data controller under the PDPA, obtaining consent from the participants will also be subject to the PDPA.
Under the PDPA, a data controller is required to obtain the explicit consent of participants, either in writing or via electronic form, in order to collect their personal data. In order to collect participant personal data, each participant must be provided with information relating to the processing of their personal data, including:
- details of the personal data to be collected;
- purposes of collection, including the legal basis for the collection;
- data owner rights (e.g. the right to access, right to erasure, right to object, right of withdrawal, etc.);
- data retention period;
- recipients or their categories, either as an individual or organisation, to which the personal data will be disclosed; and
- contact details of the employer (as a data controller) and the data protection authority.
The requirement to obtain consent may only be set aside if at least one of the following grounds applies, such as, when:
- pursuing a legitimate interest by the data controller and other third parties;
- archiving historical research or for statistical purposes;
- preventing or suppressing damage to the life, body, and health of an individual (i.e. vital interests);
- complying with obligations under a contract to which the data subject is a party, or in response to a data subject's request prior to entering into a contract;
- complying with the legal obligations of the data controller; or
- performing a task carried out in the public interest or in the exercise of an official right vested in the data controller.
In addition, for any participants, including in the case of a minor and an incompetent person, his/her legal guardian has lawful rights to withdraw his/her consent at any time regarding the use of his/her personal data, unless there is a restriction on the withdrawal of the consent specified in the law or any contract which is beneficial to the participants. In the case that consent is withdrawn, the data controller must stop using, disclosing, and possessing such personal data.
2.3. Data obtained from third parties
Under the Medical Council Regulations and Patient Declaration, there are no specific requirements in relation to obtaining data from third parties. The PDPA, however, specifically prescribes restrictions on obtaining data from third parties.
Under the PDPA, a data controller cannot obtain data subjects' personal data from third parties, except:
- to notify such collection from third parties to a data subject, and furthermore, the notification must be made no later than 30 days from the date of collection and receiving consent from a data subject; and
- where the data collection does not require any consent from a data subject as mentioned in 2.1.1. above.
According to the Ministerial Regulation on Drug Registration B.E. 2555 (2012) (only available in Thai here) ('the Ministerial Regulation on Drug Registration'), an authorised drug manufacturer or drug importer ('the Licensee') is required to apply for drug registration with the FDA of the Ministry of Public Health for the distribution of a drug in Thailand. When such registration has been completed, the Licensee has an obligation to provide an Adverse Drug Reaction ('ADR') report, if any, for the purpose of causality assessment between drugs distributed to consumers and adverse health reactions.
The ADR report in this regard should include information relating to ADRs, such as:
- any adverse reactions resulting from the use of the drug;
- details of the drug; and
- general patient information including unidentifiable information such as hospital reference number, gender, weight, nationality, drug allergy background and congenital diseases, and certain identifiable information such as full name and identification number of the patient. Such identifiable information, however, is not strictly required to be provided to the FDA, and may only be specified in the ADR report upon the consent of each patient.
The FDA does not have any specific rules relating to pseudonymisation/anonymisation or data retention-related matters. However, as all information in the ADR report is considered official information, it shall be subject to standard requirements under the:
- Official Information Act B.E. 2540 (1997); and
- The Regulation on State Secrets B.E. 2544 (2001) (only available in Thai here) ('the Regulation on State Secrets').
Under the Regulation on State Secrets, all information in the ADR report shall be perpetually kept confidential. Only an authorised person shall be allowed to access and/or use such information. Any transfer of information between or within government entities must be recorded and kept as confidential as well. Any disclosure of a medical report or personal information that will unreasonably encroach upon the right of privacy shall be strictly prohibited.
Establishment and Conditions of Biobanking Activities
Currently, there are no specific rules on biobanking activities in Thailand. In general, biobanking activities are carried out for research purposes, and therefore, rules under the Medical Council Regulations and Patient Declaration, including the PDPA as mentioned in the section on Clinical Research and Clinical Trials above, apply. In this regard, in order to perform any biobanking activities, the human subject must be informed of all information related to such activities, such as the risks and benefits of participating and the right to confidentiality of the participants for their consent, which is considered a principal requirement for researchers or medical practitioners.
Collection of Samples and Information Attached to Them
According to the Medical Council Regulations and Patient Declaration, the consent of human subjects is required prior to collecting their biological matter (i.e. bodily fluid or tissue samples), as well as their information.
Processing and Storage of the Samples
Currently, Thailand has no specific requirements on the processing and storage of samples obtained from biobanking activities.
Registers Established for the Purposes of Biobanks
Any establishment where biobanking activities take place may be considered a sanatorium, and shall therefore be subject to requirements and specific licences under the Sanatoriums Act.
Rights of Registered Individuals and Protecting their Information
Under the Medical Council Regulations and Patient Declaration, the right of human subjects to the confidentiality of their personal data is recognised. Researchers and medical practitioners have a strict obligation to keep the personal data of human subjects confidential. The disclosure of such data is only allowed upon their consent.
The relevant legislation imposes an obligation on sanatoriums, such as hospitals and clinics, and medical practitioners, such as doctors, nurses, and pharmacists (i.e. medical practitioners), to collect and retain patient personal information, including name, age, identification card number, and medical records, etc., for medical treatment purposes. All patient personal information must be kept confidential in accordance with medical ethics for at least five years from the date of record. Patient personal information may only be disclosed if the patients themselves consent or medical practitioners have a legal obligation to do so for the benefit of patients.
The relevant legislation does not specify that patient consent is required for the above data collection and processing. Instead, a general requirement for data subject consent under the PDPA, including any applicable exemption, may apply, which will be further discussed in the section on Consent above.
No cases relating to the above issues have been filed in the courts. Normally, an unauthorised collection, use, or disclosure of patient personal data by medical practitioners is a violation of medical ethics, and the medical practitioners involved in any such incidents would be subject to disciplinary action and liabilities, details of which are not published to the public.
General Obligations on the Data Controller
Data controllers have legal obligations under the PDPA for the collection, use, or disclosure of personal data. In addition, data controllers must guarantee the fundamental rights of data subjects, including the rights to erasure and data portability.
Permitted Uses of Data
Data controllers that collect and/or process personal data must obtain data subject consent either in writing or via electronic form unless otherwise permitted by law (as mentioned in the section on Consent above).
Obligations in Respect of Disclosure of Records to Other Medical Professionals (e.g. Individuals' GP) or to Family Members/Representatives
The disclosure of records to other medical professionals, family members/representatives is prohibited unless:
- consent is obtained from the data subject; or
- there is a reason to prevent or suppress danger to a data subject's life, body, or health.
Data Security Requirements
In the future, the PDPC will release supplemental regulation(s) providing a list of security measures for personal data protection under the PDPA.
The relevant legislation and the PDPA do not provide specific definitions for anonymisation and pseudonymisation. Under the PDPA, however, a data subject has the right to request that the data controller erase or destroy personal data, or anonymise personal data so that the data subject cannot be identified from it.
As mentioned in the section on Data collection and retention above, patient personal data must be retained in an examinable condition by the data controller for at least five years from the date of record.
There are no specific requirements relating to a data protection officer ('DPO') under the relevant legislation. However, medical practitioners as data controllers have an obligation to appoint a DPO if:
- the activities of a data controller relating to collection, use, or disclosure require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of a data controller relate to the collection, use, or disclosure of sensitive data (e.g. religious beliefs, ethnic origin, health record, etc., as mentioned in the section on Definitions above).
The DPO, in this regard, is required to have expertise in personal data protection, and can be a staff member of a data controller or data processor, or a contractor under a service contract.
Under the relevant legislation, there are no specific requirements on outsourcing.
However, the outsourcing of other persons or juristic persons to collect, use, or disclose data subjects' personal data on behalf of or as ordered by the data controller (which includes medical practitioners) shall be subject to the PDPA. In this regard, an outsourcing agreement between the data controller and outsourced person (i.e. the data processor) is required in order to set out obligations in the processing of data subject personal data as prescribed under the PDPA. Data controllers based outside Thailand involved in certain forms of data processing are obliged to designate in writing a representative based inside Thailand.
The data processor must strictly follow the instructions of the data controller when collecting, using, and disclosing personal data, and provide appropriate security measures to prevent unauthorised or unlawful processing. In addition, the data processor must inform the data controller of any violation of personal data.
Under the relevant legislation, there are no specific requirements on the transfer of sensitive personal data.
However, the transfer of patient personal data, including sensitive data, is subject to general requirements under the PDPA. Information relating to a data transfer and recipient(s) who will receive their personal information, must be provided to patients for their consent unless otherwise permitted by law.
In the event that patient personal data is to be transferred to a third country or an international organisation, such a transfer is only permitted for destination countries or international organisations that provide an adequate level of protection, as prescribed by the PDPC, unless any such transfer fulfils the following criteria:
- the transferor has obtained consent from data subjects who have been informed of the inadequate level of data protection;
- it is necessary to perform an obligation under a contract or the transfer is at the request of a data owner;
- it is performed pursuant to a significant public interest;
- the transfer is pursuant to the law; or
- it is necessary to protect the vital interests of the data owner or any person when such data owner cannot give his/her consent.
Under the relevant legislation, there is no specific obligation to report a personal data breach to a supervisory authority or data subject. There is, however, a general obligation under the PDPA which does apply.
In the case of a personal data breach under the PDPA, the data controller must notify the PDPC of the breach, except where the personal data breach is unlikely to result in a risk to individuals' rights and freedoms. In addition, a personal data breach must be notified to the PDPC without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The requirements of this notification, including its exceptions, will be further published in supplemental regulation(s) of the PDPC.
Under the PDPA, if a personal data breach is likely to result in a high risk to data subject rights and freedoms, the data controller must notify the breach to data subjects, in addition to the PDPC.
9. Data Subject Rights
The relevant legislation and Patient Declaration specify that personal information of patients, including of minors, provided to the medical practitioner must be kept confidential. Such personal information shall only be disclosed upon the consent of patients or to comply with a medical practitioner's legal obligations which are beneficial to patients.
In addition, each patient has a lawful right to request information regarding his/her medical treatment as it appears in the medical record. Such information must be requested in accordance with the hospital's procedures, and shall not infringe the personal information and rights of others persons. The rights of minors shall be exercised by their parents or legal guardian as mentioned in the section on Consent above.
With regard to the PDPA, the following rights are provided to each data subject:
- right to erasure: a data subject has the right to request for their personal information to be deleted, unless exceptions apply;
- right to be informed: a data subject has the right to be informed of specific information relating to the collection and processing of personal data;
- right to object: a data subject has the right to object to the processing of his/her personal data as well as to withdraw his/her consent to the processing at any time;
- right to access: a data subject has the right to access his/her personal data that has been collected and processed by a data controller; and
- right to data portability: data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format as well as to transmit such data to third parties.
The right of a deceased person is not recognised under the relevant legislation, the PDPA, or Patient Declaration.
In addition, as mentioned in the section on Consent above, in order to collect patient personal data, a data controller must provide patients with information relating to the processing of their personal data, such as details of the personal data to be collected, purposes of collection, and fundamental rights of patients as data subjects for their consent. However, there are cases where a data controller is required to disclose information relating to the processing of their personal data without obtaining patient consent, such as where the collection is to prevent or suppress damage to patient life, body, and health.
Under the relevant legislation, if medical practitioners breach their medical ethics in the retention of patient personal data, they shall be subject to criminal or monetary penalties, and/or disciplinary action, such as having their practitioner licence suspended or revoked. As another example, a sanatorium licensee who discloses patient personal information without having been duly authorised shall be imprisoned for up to one year and/or fined up to THB 20,000 (approx. €550).
As for penalties under the PDPA, in the case of non-compliance, imprisonment for up to one year and/or a fine up to THB 1 million (approx. €27,500) shall be imposed. The PDPA also provides authority for a competent court to increase the amount of compensation by up to double the actual damages at the court's discretion, as punitive damages. In addition, an administrative fine of up to THB 5 million (approx. €137,500) (which is subject to the severity of the circumstances) may be issued by the authority for non-compliance.
11. Other Areas of Interest
Currently, there are no laws on telemedicine, medical devices, or digital health records relating to the PDPA.